Unable to resolv 1 domain
Ondřej Surý
ondrej at sury.org
Mon Apr 10 13:18:34 UTC 2017
Perhaps this could be added to things controlled by:
harden-algo-downgrade: yes/no?
I don't think there's any security risk from using SHA1 for DS record
verification even if SHA-2 is available.
Ultimately, it's your call and decision.
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Mon, Apr 10, 2017, at 15:10, W.C.A. Wijngaards via Unbound-users
wrote:
> Hi Ondrej,
>
> On 10/04/17 14:57, Ondřej Surý wrote:
> > I see - the 31653 DS is only algo 1, but the other one is 1,2, but
> >
> > But RFC 4509 says:
> >
> > 3. Implementation Requirements
> >
> > Implementations MUST support the use of the SHA-256 algorithm in DS
> > RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
> > digests if DS RRs with SHA-256 digests are present in the DS RRset.
> >
> > So perhaps Unbound is too strict here? There are no known usable
> > attacks on SHA-1 for use in DNSSEC, so I don't think it's necessary to
> > ignore it right _now_.
>
> But unbound clearly implements the SHOULD and thus should be
> interoperable? That is what the 'SHOULD' is there for, right?
> So, I am doing this because I think it is the standard. And I think so
> should you.
>
> I didn't do this out of strictness, but out of trying to implement
> exactly what the standard said.
>
> Best regards, Wouter
>
> >
> > O.
> >
>
>
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)
More information about the Unbound-users
mailing list